The present invention relates generally to managing resources within a communications environment, and, more particularly, to a method and system for authenticating a requestor without providing a key.
In one embodiment, a communications environment includes a plurality of client nodes coupled to one or more nodes via a communications medium. One example of such as communications medium is the InfiniBand™ transport, which is described in further detail in “InfiniBand Architecture Specification Volume 1,” Release 1.2, October, 2004, available from the InfiniBand Trade Association at 5440 SW Westgate Drive, Suite 217, Portland, Oreg., 97221, or online at www.Infinibandta.org, which is hereby incorporated herein by reference in its entirety. InfiniBand is a trademark of the InfiniBand Trade Association.
The InfiniBand transport enables a set of interconnected client and server nodes, referred to as a subnet, to communicate with one another. It also provides a partitioning scheme that allows a subnet to be logically subdivided into sets of nodes, referred to as partitions. A partition includes one or more client nodes, as well as one or more server nodes. A node, such as a server node, can be included in more than one partition. The members of a partition communicate with one another, but are unaware of any other partition.
Within an InfiniBand™ (IB) fabric, resource provider nodes that may be shared by various client nodes are partitioned by a network administrator such that each client node is allowed to use all of the resources at the shared node. Thus, when a node (e.g., a server node) is included in multiple partitions, all of the resources of that node are accessible by all of the partitions that include that node. When a resource provider node receives a request from a client node, it provides access to all of the resources that the client node is allowed to use regardless of the application within the client node from which the request came. However, this accessibility is undesirable (e.g., from a security standpoint) when there is a need to restrict the resources that each application can use to a subset of the client's full resources. Thus, a need exists for a capability that restricts the resources that each application on a given client node is allowed to use. In Attorney Docket Number POU9-2004-0157US1, filed concurrently herewith, a capability is disclosed in which the resource allocations of a client node's applications may be dynamically changed without the need for human interaction, such that system operations may continue uninterrupted.
In an original version of such capability, a 64-bit or an arbitrarily long binary key is entered at the provider node (e.g., a storage device), and then again at the client node (e.g., a host operating system). However, this authentication approach can be time consuming, as well as error prone. Thus, it would be desirable to enable a customer to implement the definition at the resource provider node, and allow the client (identified in the InfiniBand architecture by a unique hardware value) to obtain binary keys so authorized from a key provider node, without the need to provide a key (or password) in the request from the client to the key provider node itself. This in turn would eliminate the requirement to reenter the key at the client, as well as avoid any errors associated with incorrectly entering that key.